IBM9C95F0476EE4A00F6E74C77DAD5D0B076F37615CF49BD0440FEC5460D1426DB8Security Bulletin: Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
64.4%
Summary
APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent is vulnerable to Google Gson (gson-2.8.2.jar ) 217225, CVE-2022-25647. The fix/workaround includes gson-2.8.2.jar upgraded to gson-2.10.1.jar.
Vulnerability Details
CVEID:CVE-2022-25647
**DESCRIPTION:**Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
**IBM X-Force ID:**217225
**DESCRIPTION:**Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| APM Agents for Monitoring | all |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading:
Product Remediation
|
Fix
—|—
APM on-premise
|
1. APM WebSphere Application Server Agent release 8.1.4.0.20 (WAS Agent version: 07.30.14.19)
2. APM SAP NetWeaver Agent release 8.1.4.0.20 (SAP NetWeaver Agent version: 08.23.05.00)
Download the APM Agents installer from Passport Advantage. Please refer below link for download instructions:
<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers>
Workarounds and Mitigations
For APM WebLogic Agent, this vulnerability is not fixed in APM 814020 release. Please follow below steps as a workaround:
gson-2.8.2.jar must be upgraded from Maven Repository: Search/Browse/Explore (mvnrepository.com)
Procedure:
Step 1: Stop the agent and replace gson-2.8.2.jar with it’s latest version gson-2.10.1.jar
Windows:
i. Navigate to the directory $CANDLEHOMEC\TMAITM6_x64<dchome><version>\ttdc\lib\ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of gson-2.8.2.jar and replace it with the latest version ie. gson-2.10.1.jar.
Linux:
i.Navigate to the directory $CANDLEHOMEC/<dchome>/<version>/ttdc/lib/ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of gson-2.8.2.jar and replace it with the latest version ie. gson-2.10.1.jar.
Step 2 : Restart the agent.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm application performance management | eq | 8.1.4 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
64.4%